If you go look at the security declaration and the links into the jackson changset it’ll list what’s been patched. Sorry, not a complete answer, but best I can easily give.
-- _________________________________________________________ Adam Brin Director of Technology, Digital Antiquity 480.965.1278 > On Dec 6, 2017, at 12:33 PM, upendar devu <devulapal...@gmail.com> wrote: > > Thank you for the response . You mentioned that I'm still impacted even > not suing REST plugin since the vulnerability is found in the latest > jackson library. but we are using version 2.7 and not the latest version > ; do you think the the issue still exist with version 2.7 ? > > Thanks > > On Wed, Dec 6, 2017 at 1:35 PM, Yasser Zamani <yasserzam...@apache.org> > wrote: > >> >> >> On 12/6/2017 9:40 PM, upendar devu wrote: >>> is this impact for those using Struts based REST plugin ? >> >> CVE-2017-15707 [1] is for those using Struts' REST Plugin [2]. Before >> 2.5.14.1 this plugin uses json-lib library [3] which is not updated for >> several years and is vulnerable. After 2.5.14 Struts replaced this >> library with jackson. >> >>> I'm not using this but below jackson versions are being used . are we >> impacted ? >>> please confirm along with detailed problem statement who will be >> impacted on these 2CVEs. >>> >>> jackson-annotations-2.7.0.jar >>> jackson-module-jaxb-annotations-2.7.1.jar >>> jackson-jaxrs-json-provider-2.7.1.jar >>> jackson-jaxrs-base-2.7.1.jar >>> jackson-databind-2.7.1.jar >>> jackson-core-2.7.1.jar >> >> Yes you're impacted. "A vulnerability was detected in the latest Jackson >> JSON library, which was reported here. Upgrade com.fasterxml.jackson to >> version 2.9.2 to address CVE-2017-7525" [4]. If you don't use Struts' >> REST Plugin then you still are impacted because this vulnerability is >> with jackson itself [5]. >> >> Hope these help, >> Yasser. >> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-054 >> [2] https://mvnrepository.com/artifact/org.apache.struts/ >> struts2-rest-plugin >> [3] https://sourceforge.net/projects/json-lib/files/ >> [4] https://cwiki.apache.org/confluence/display/WW/S2-055 >> [5] >> https://github.com/FasterXML/jackson-databind/issues/1599# >> issuecomment-342983770 >> --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
